Content Security Supported Features
WELF Logging for Content Security Features
- Understanding WELF Logging for Content Security Features
- Example: Configuring WELF Logging for Content Security Features
Understanding WELF Logging for Content Security Features
Content Security features support the WELF standard. The WELF Reference defines the WebTrends industry standard log file exchange format. Any system logging to this format is compatible with Firewall Suite 2.0 and later, Firewall Reporting Center 1.0 and later, and Security Reporting Center 2.0 and later.
A WELF log file is composed of records. Each record is a single line in the file. Records are always in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. WELF places no restrictions on log filenames or log file rotation policies.
Each WELF record is composed of fields. The record identifier
field (id=) must be the first field in a record. All other
fields can appear in any order.
The following is a sample WELF record:
id=firewall time="2000-2-4 12:01:01" fw=192.168.0.238 pri=6 rule=3 proto=http
src=192.168.0.23 dst=6.1.0.36 rg=www.example.com/index.html op=GET result=0
rcvd=1426
The fields from the example WELF record include the following required elements (all other fields are optional):
id(Record identifier)time(Date/time)fw(Firewall IP address or name)pri(Priority of the record)
Example: Configuring WELF Logging for Content Security Features
This example shows how to configure WELF logging for Content Security features.
Requirements
Before you begin, review the fields used to create a WELF log file and record. See Content Security Overview.
Overview
A WELF log file is composed of records. Each record is a single
line in the file. Records are always in chronological order. The earliest
record is the first record in the file; the most recent record is
the last record in the file. WELF places no restrictions on log filenames
or log file rotation policies. In this example, the severity level
is emergency and the name of the security log stream is utm-welf.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security log source-address 1.2.3.4 stream utm-welf set security log source-address 1.2.3.4 stream utm-welf format welf set security log source-address 1.2.3.4 stream utm-welf format welf category content-security set security log source-address 1.2.3.4 stream utm-welf format welf category content-security severity emergency set security log source-address 1.2.3.4 stream utm-welf format welf category content-security severity emergency host 5.6.7.8
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure WELF logging for Content Security features:
Set the security log source IP address.
[edit security log] user@host# set source-address 1.2.3.4
Note:You must save the WELF logging messages to a dedicated WebTrends server.
Name the security log stream.
[edit security log] user@host# set source-address 1.2.3.4 stream utm-welf
Set the format for the log messages.
[edit security log] user@host# set source-address 1.2.3.4 stream utm-welf format welf
Set the category of log messages that are sent.
[edit security log] user@host# set source-address 1.2.3.4 stream utm-welf format welf category content-security
Set the severity level of log messages that are sent.
[edit security log] user@host# set source-address 1.2.3.4 stream utm-welf format welf category content-security severity emergency
Enter the host address of the dedicated WebTrends server to which the log messages are to be sent.
[edit security log] user@host# set source-address 1.2.3.4 stream utm-welf format welf category content-security severity emergency host 5.6.7.8
Results
From configuration mode, confirm your configuration
by entering the show security log command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security log
stream utm-welf {
severity emergency;
format welf;
category content—
security;
host {
5.6.7.8;
}
}
If you are done configuring the device, enter commit from configuration mode.
Explicit Proxy for Content Security
Content Security support the use of an explicit proxy for the cloud-based connectivity for Enhanced Web Filtering (EWF) and Sophos antivirus (SAV) on Content Security. The explicit proxy hides the identity of the source device and establishes a connection with the destination device.
- Understanding Explicit Proxy
- Configuring the Explicit Proxy on Juniper Enhanced Server
- Verifying the Explicit Proxy Configuration on Juniper Enhanced Server
- Configuring the Predefined Category Upgrading and Base Filter Configuration Using Explicit Proxy
- Verifying the Predefined Category Upgrading and Base Filter Configuration
- Configuring the Sophos Antivirus Pattern Update
- Verifying the Sophos Antivirus Pattern Update
Understanding Explicit Proxy
An explicit proxy hides the identity of source device, communicates directly with the Websense Threatseeker Cloud (TSC) server and establishes a connection with the destination device. The explicit proxy configuration consists of port address and direct IP address or hostname.
To use the explicit proxy, create one or more proxy profiles and refer to those profiles:
In EWF, the explicit proxy is configured by referring to the created
proxy-profileinsecurity utm default-configuration web-filtering juniper-enhanced serverhierarchy. The connection is established with the TSC server.In EWF predefined category upgrading and base filter, the explicit proxy is configured by referring to the created
proxy-profileinsecurity utm custom-objects category-package proxy-profilehierarchy. You can download and dynamically load new EWF categories without any software upgrade. Theproxy-profilecategory file is installed and used for transfer of the traffic.SRX Series Firewall sends CONNECT request to the proxy server, the SRX Series Firewall and TSC server communicates through the HTTP connection. Then the proxy server is expected to identify the configured IP addresses, allowlist and allow SRX Series Firewall to send traffic to the TSC server in cloud via proxy. After proxy filtering, it will create connection to real TSC server.
In Sophos Antivirus (SAV), the explicit proxy is configured by referring to the created
proxy-profileinsecurity utm default-configuration anti-virus sophos-engine pattern-updatehierarchy. The utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.
On EWF, if the proxy profile is configured in Content Security Web filtering configuration, the TSC server connection is established with the proxy host instead of the Content Security server on the cloud.
On SAV, if the proxy profile is configured, the utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.
The proxy server authentication is not supported if the proxy-profile is configured.
Configuring the Explicit Proxy on Juniper Enhanced Server
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
Create a proxy profile with host and port information, and refer it in the Juniper enhanced server to establish a connection to the Content Security cloud server.
The following configuration shows how to configure the explicit proxy on Juniper enhanced server.
Results
From configuration mode, confirm your configuration by entering
the show security and show services command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show security
default-configuration {
web-filtering {
type juniper-enhanced;
juniper-enhanced {
server {
proxy-profile proxy1;
}
}
}
}
[edit]
user@host# show services
proxy {
profile proxy1 {
protocol {
http {
host 192.0.2.1;
port 3128;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verifying the Explicit Proxy Configuration on Juniper Enhanced Server
Purpose
Display the status of explicit server on Juniper enhanced server.
Action
From operational mode, enter the show security
utm web-filtering status command.
user@host> show security utm web-filtering statusUTM web-filtering status:
Server status: Juniper Enhanced using Websense server UP
Meaning
This command provides information on server status of Enhanced Web Filtering (EWF) using Websense Threatseeker Cloud (TSC).
Configuring the Predefined Category Upgrading and Base Filter Configuration Using Explicit Proxy
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
Create a proxy profile with host and port information, and refer it in the predefined category upgrade and base filter to download and dynamically load new EWF categories without any software upgrade.
The following configuration shows how to configure the explicit proxy on predefined category upgrading and base filter.
Results
From configuration mode, confirm your configuration by entering
the show security and show services command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show security
custom-objects {
category-package {
proxy-profile proxy1;
}
}
[edit]
user@host# show services
proxy {
profile proxy1 {
protocol {
http {
host 203.0.113.1;
port 3128;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verifying the Predefined Category Upgrading and Base Filter Configuration
Purpose
Display the Enhanced Web Filtering (EWF) predefined category package download, install, and update status.
Action
From operational mode, enter the show security
utm web-filtering category status CLI command to see the web
filtering category status.
Before you execute the show security utm web-filtering
category status CLI command, you must execute the request
security utm web-filtering category download-install CLI command
to get the results.
user@host> show security utm web-filtering category status
UTM category status:
Installed version: 1
Download version: 0
Update status: Done
Meaning
This command provides information on the number of installed and downloaded categories and the update status.
Configuring the Sophos Antivirus Pattern Update
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
Create a proxy profile with host and port information, and refer it in the Sophos Antivirus (SAV) pattern update. The utmd process connects to the proxy host instead of the SAV pattern update server on the cloud.
The following configuration shows how to configure the explicit proxy on SAV pattern update.
Results
From configuration mode, confirm your configuration by entering
the show security and show services command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show security
default-configuration {
anti-virus {
sophos-engine {
pattern-update {
proxy-profile proxy1;
}
}
}
}
[edit]
user@host# show services
proxy {
profile proxy1 {
protocol {
http {
host 203.0.113.1;
port 3128;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verifying the Sophos Antivirus Pattern Update
Purpose
Display the Sophos Antivirus (SAV) update pattern status.
Action
From operational mode, enter the show security utm anti-virus status CLI command
to see the Content Security antivirus status.
user@host> show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2018-08-02 00:00:00
Update server: https://host2.example.com/SAV/
Interval: 1000 minutes
Pattern update status: next update in 979 minutes
Pattern update via proxy server: 203.0.113.1:3128
Last result: already have latest database
Anti-virus signature version: 1.13 (1.02)
Scan engine type: sophos-engine
Scan engine information: last action result: No error
Meaning
This command provides information on the the Sophos Antivirus (SAV) pattern update server, update status, antivirus signature version, antivirus engine type and antivirus engine information.
Unified Policies for Content Security
Understanding Unified Policies [Content Security]
Unified policies are now supported on SRX Series Firewalls, allowing granular control and enforcement of dynamic Layer 7 applications within the traditional security policy.
Unified policies are security policies in which you can use dynamic applications as match conditions along with existing 5-tuple or 6-tuple matching conditions (with user firewall) to detect application changes over time. The use of unified policies enable you to enforce a set of rules for the transit traffic. It uses the match criteria, namely, source zone, destination zone, source addresses, destination addresses, and application names. This results in potential match policies.
The unified policy configuration handles all Application Firewall (AppFW) functionalities and simplifies the task of configuring firewall policy to permit or block application traffic from the network. As part of the unified policy, a new dynamic application policy match condition is added to SRX Series Firewalls, allowing an administrator to more effectively control the behavior of Layer 7 applications.
To accommodate Layer 7 application-based policies in Content Security, the [edit security
utm default-configuration] command is introduced. If any parameter in a
specific Content Security feature profile configuration is not configured, then the
corresponding parameter from the Content Security default configuration is applied.
Additionally, during the initial policy lookup phase which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different Content Security profiles, the SRX Series Firewall applies the default Content Security profile until a more explicit match has occurred.
Understanding Default Content Security Policy
A new predefined default Content Security policy is available with the factory default configuration to provide a default Content Security configuration. This predefined global Content Security policy inherits the configuration from the default Content Security configuration profile.
If there is an existing Content Security policy defined, it will continue to be used to evaluate traffic based on the existing security policy configuration.
When a policy lookup is performed, existing Content Security policies are evaluated prior to global policies. The predefined Content Security default policy is leveraged if multiple Content Security policies exist in the potential policy list during the Content Security session creation process.
The predefined Content Security default policy parameters are included under [edit
security utm default-configuration] hierarchy level. These parameters
are available for Web filtering, content filtering, antivirus, and antispam profile.
If no Content Security feature profile is configured (Web filtering, content
filtering, antivirus, and antispam), the parameters in the predefined global Content
Security configuration are applied.
The predefined Content Security default policy is available in [edit groups
junos-defaults security utm]. You can modify certain parameters for Web
filtering, content filtering, antivirus, and antispam. You can also modify default
Content Security profile parameters for Web filtering, content filtering, antivirus,
and antispam features profiles at [edit security utm
default-configuration].
See Also
Content Security Support for Chassis Cluster
Content Security is supported for active/active chassis cluster and active/backup chassis cluster configuration. For more information, see the following topics:
- Understanding Content Security Support for Active/Active Chassis Cluster
- Understanding Content Security Support for Active/Backup Chassis Cluster
Understanding Content Security Support for Active/Active Chassis Cluster
Content Security requires a license for each device in the chassis cluster setup. For information about how to purchase a software license, contact your Juniper Networks sales representative at https://www.juniper.net/in/en/contact-us/ and for more information refer Licensing guide.
All the following Content Security features are supported in active/active chassis cluster:
Antispam Filtering
Content Filtering
Sophos Antivirus Scanning
Enhanced Web Filtering
Local Web Filtering
Websense Redirect Web Filtering
On-box/Avira AV
Content Security supports active/active chassis cluster configuration from Junos OS Release 19.4R1 onwards. Active/Active cluster is a cluster where interfaces can be active on both cluster nodes simultaneously. This is the case when there are more than one data-plane redundancy-groups, that is redundancy-groups 1 and higher or when local (non-reth) interfaces are used on the cluster nodes.
Enhanced Web Filtering cloud connection does not support failover, it will create new connection automatically after the old connection is retired.
Understanding Content Security Support for Active/Backup Chassis Cluster
Content Security requires a license for each device in the chassis cluster setup. For information about how to purchase a software license, contact your Juniper Networks sales representative at https://www.juniper.net/in/en/contact-us/.
The following Content Security features are supported in chassis cluster:
Content filtering
URL (Web) filtering
Antispam filtering
Full file-based antivirus scanning
Sophos antivirus scanning
Active/Active cluster is a cluster where interfaces can be active on both cluster nodes at the same time. This is the case when there are more than one data-plane redundancy-groups, i.e. redundancy-groups 1 and higher or when local (non-reth) interfaces are used on the cluster nodes.
If multiple data-plane redundancy-groups are configured, Content Security works only if all the redundancy groups are active in the single node. In case one of the redundancy-group failed over automatically to another node, Content Security won't work.
See Also
Allowlist
A URL allowlist defines all the URLs listed for a specific category to always bypass the scanning process. The allowlist include hostnames that you want to exempt from undergoing SSL proxy processing. For more information, see the following topics:
- Understanding MIME Allowlist
- Example: Configuring MIME Allowlist to Bypass Antivirus Scanning
- Understanding URL Allowlist
- Configuring URL Allowlist to Bypass Antivirus Scanning (CLI Procedure)
Understanding MIME Allowlist
The gateway device uses MIME (Multipurpose Internet Mail Extension) types to decide which traffic may bypass antivirus scanning. The MIME allowlist defines a list of MIME types and can contain one or many MIME entries.
A MIME entry is case-insensitive. An empty MIME is an invalid entry and should never appear in the MIME list. If the MIME entry ends with a / character, prefix matching takes place. Otherwise, exact matching occurs.
There are two types of MIME lists used to configure MIME type antivirus scan bypassing:
mime-allowlist list—This is the comprehensive list for those MIME types that can bypass antivirus scanning.
exception list—The exception list is a list for excluding some MIME types from the mime-allowlist list. This list is a subset of MIME types found in the mime-allowlist.
For example, if the mime-allowlist includes the entry,
video/and the exception list includes the entryvideo/x-shockwave-flash, by using these two lists, you can bypass objects with “video/” MIME type but not bypass “video/x-shockwave-flash” MIME type.You should note that there are limits for mime-allowlist entries as follows:
The maximum number of MIME items in a MIME list is 50.
The maximum length of each MIME entry is restricted to 40 bytes.
The maximum length of a MIME list name string is restricted to 40 bytes.
Example: Configuring MIME Allowlist to Bypass Antivirus Scanning
This example shows how to configure MIME allowlists to bypass antivirus scanning.
Requirements
Before you begin, decide the type of MIME lists used to configure MIME type antivirus scan bypassing. See Understanding MIME Allowlist.
Overview
In this example, you create MIME lists called avmime2 and ex-avmime2 and add patterns to them.
Configuration
Procedure
Step-by-Step Procedure
To configure MIME allowlists to bypass antivirus scanning:
Create MIME lists and add patterns to the lists.
[edit] user@host# set security utm custom-objects mime-pattern avmime2 value [video/quicktime image/x-portable-anymap x-world/x-vrml] user@host# set security utm custom-objects mime-pattern ex-avmime2 value [video/quicktime-inappropriate]
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Understanding URL Allowlist
A URL allowlist defines all the URLs listed for a specific category to always bypass the scanning process. The allowlist includes hostnames that you want to exempt from undergoing SSL proxy processing. There are also legal requirements to exempt financial and banking sites; such exemptions are achieved by configuring URL categories corresponding to those hostnames under the URL allowlists. If any URLs do not require scanning, corresponding categories can be added to this allowlisting.
Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the allowlisting feature is extended to include URL categories supported by Content Security in the allowlist configuration of SSL forward proxy. For more information, see Application Security User Guide for Security Devices.
Starting with Junos OS Release 17.4R1, the allowlisting feature is extended to support custom URL categories supported by Content Security in the allowlist configuration of SSL forward proxy.
Configuring URL Allowlist to Bypass Antivirus Scanning (CLI Procedure)
To configure URL allowlists, use the following CLI configuration statements:
security utm custom-objects {
custom-url-category { ; set of list
name url-category-name; #mandatory
value url-pattern-name;
}
}